PHP SERVER HTTP HOST vs SERVER SERVER NAME am I understanding the man pages correctly

Question

I did a lot of searching and also read the PHP   SERVER docs  Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site     SERVER  SERVER NAME   is based on your web server s config file  Apache2 in my case   and varies depending on a few directives   1  VirtualHost   2  ServerName   3  UseCanonicalName  etc     SERVER  HTTP HOST   is based on the request from the client   Therefore  it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be   SERVER  HTTP HOST    Is this assumption correct   Followup comments   I guess I got a little paranoid after reading this article and noting that some folks said  they wouldn t trust any of the   SERVER vars     http   markjaquith wordpress com 2009 09 21 php-server-vars-not-safe-in-forms-or-links  http   php net manual en reserved variables server php 89567  comment  Vladimir Kornea 14-Mar-2009 01 06    Apparently the discussion is mainly about   SERVER  PHP SELF   and why you shouldn t use it in the form action attribute without proper escaping to prevent XSS attacks   My conclusion about my original question above is that it is  safe  to use   SERVER  HTTP HOST   for all links on a site without having to worry about XSS attacks  even when used in forms   Please correct me if I m wrong

User · Answer

The major difference between the two is that $_SERVER['SERVER_NAME'] is a server controlled variable, while $_SERVER['HTTP_HOST'] is a user-controlled value.

The rule of thumb is to never trust values from the user, so $_SERVER['SERVER_NAME'] is the better choice.

As Gumbo pointed out, Apache will construct SERVER_NAME from user-supplied values if you don't set UseCanonicalName On.

Edit: Having said all that, if the site is using a name-based virtual host, the HTTP Host header is the only way to reach sites that aren't the default site.

User · Answer

Is it  quot safe quot  to use   SERVER  HTTP HOST   for all links on a site without having to worry about XSS attacks  even when used in forms   Yes  it s safe to use   SERVER  HTTP HOST     and even   GET and   POST  as long as you verify them before accepting them  This is what I do for secure production servers                                                                                           reject request   true  if array key exists  HTTP HOST     SERVER         host name     SERVER  HTTP HOST             need to cater for  host port  since some  quot buggy quot  SAPI s  have been known to return the port too  see http   goo gl bFrbCO      strpos   strpos  host name            if  strpos     false            host name   substr  host name   strpos                           for dynamic verification  replace this chunk with db file curl queries      reject request    array key exists  host name  array           a com    gt  null           a a com    gt  null           b com    gt  null           b b com    gt  null                    if  reject request          log errors        display errors  optional      exit                                                                                            echo  Hello World            The advantage of   SERVER  HTTP HOST   is that its behavior is more well-defined than   SERVER  SERVER NAME    Contrast      Contents of the Host  header from the current request  if there is one   with   The name of the server host under which the current script is executing   Using a better defined interface like    SERVER  HTTP HOST   means that more SAPIs will implement it using reliable well-defined behavior   Unlike the other   However  it is still totally SAPI dependent      There is no guarantee that every web server will provide any of these    SERVER entries   servers may omit some  or provide others not listed here   To understand how to properly retrieve the host name  first and foremost you need to understand that a server which contains only code has no means of knowing  pre-requisite for verifying  its own name on the network  It needs to interface with a component that supplies it its own name  This can be done via   local config file  local database  hardcoded source code  external request  curl   client attacker s Host  request  etc   Usually its done via the local  SAPI  config file  Note that you have configured it correctly  e g  in Apache      A couple of things need to be  faked  to make the dynamic virtual host look like a normal one  The most important is the server name which is used by Apache to generate self-referential URLs  etc  It is configured with the ServerName directive  and it is available to CGIs via the SERVER NAME environment variable  The actual value used at run time is controlled by the UseCanonicalName setting  With UseCanonicalName Off the server name comes from the contents of the Host  header in the request  With UseCanonicalName DNS it comes from a reverse DNS lookup of the virtual host s IP address  The former setting is used for name-based dynamic virtual hosting  and the latter is used for   IP-based hosting  If Apache cannot work out the server name because there is no Host  header or the DNS lookup fails then the value configured with ServerName is used instead

User · Answer

I am not sure and not really trust   SERVER  HTTP HOST   because it depend on header from client  In another way  if a domain requested by client is not mine one  they will not getting into my site because DNS and TCP IP protocol point it to the correct destination  However I don t know if possible to hijack the DNS  network or even Apache server  To be safe  I define host name in environment and compare it with   SERVER  HTTP HOST     Add SetEnv MyHost domain com in  htaccess file on root and add ths code in Common php  if  getenv  MyHost      SERVER  HTTP HOST        header   SERVER  SERVER PROTOCOL     400 Bad Request      exit        I include this Common php file in every php page  This page doing anything required for each request like session start    modify session cookie and reject if post method come from different domain

User · Answer

That   s probably everyone   s first thought  But it   s a little bit more difficult  See Chris Shiflett   s article SERVER NAME Versus HTTP HOST   It seems that there is no silver bullet  Only when you force Apache to use the canonical name you will always get the right server name with SERVER NAME   So you either go with that or you check the host name against a white list    allowed hosts   array  foo example com    bar example com    if   isset   SERVER  HTTP HOST        in array   SERVER  HTTP HOST     allowed hosts         header   SERVER  SERVER PROTOCOL     400 Bad Request        exit

User · Answer

First I want to thank you for all the good answers and explanations  This is the method I created based upon all your answer to get the base url  I only use it in very rare situations  So there is NOT a big focus on security issues  like XSS attacks  Maybe someone needs it      Get base url function getBaseUrl  array false         protocol            host            port            dir                 Get protocol     if array key exists  HTTPS     SERVER   amp  amp    SERVER  HTTPS                    if   SERVER  HTTPS       on      protocol    https             else    protocol    http           elseif array key exists  REQUEST SCHEME     SERVER   amp  amp    SERVER  REQUEST SCHEME             protocol     SERVER  REQUEST SCHEME              Get host     if array key exists  HTTP X FORWARDED HOST     SERVER   amp  amp    SERVER  HTTP X FORWARDED HOST             host   trim end explode        SERVER  HTTP X FORWARDED HOST             elseif array key exists  SERVER NAME     SERVER   amp  amp    SERVER  SERVER NAME             host     SERVER  SERVER NAME          elseif array key exists  HTTP HOST     SERVER   amp  amp    SERVER  HTTP HOST             host     SERVER  HTTP HOST          elseif array key exists  SERVER ADDR     SERVER   amp  amp    SERVER  SERVER ADDR             host     SERVER  SERVER ADDR            elseif array key exists  SSL TLS SNI     SERVER   amp  amp    SERVER  SSL TLS SNI             host     SERVER  SSL TLS SNI              Get port     if array key exists  SERVER PORT     SERVER   amp  amp    SERVER  SERVER PORT             port     SERVER  SERVER PORT          elseif stripos  host           false     port   substr  host   stripos  host       1             Remove port from host      host   preg replace     d           host           Get dir     if array key exists  SCRIPT NAME     SERVER   amp  amp    SERVER  SCRIPT NAME             dir     SERVER  SCRIPT NAME          elseif array key exists  PHP SELF     SERVER   amp  amp    SERVER  PHP SELF             dir     SERVER  PHP SELF          elseif array key exists  REQUEST URI     SERVER   amp  amp    SERVER  REQUEST URI             dir     SERVER  REQUEST URI             Shorten to main dir     if stripos  dir           false     dir   substr  dir  0   strripos  dir       1              Create return value     if   array            if  port     80      port     443      port           port                 else    port        port             return htmlspecialchars  protocol        host  port  dir  ENT QUOTES          else   return   protocol    gt   protocol   host    gt   host   port    gt   port   dir    gt   dir

User · Answer

Use either  They are both equally  in secure  as in many cases SERVER NAME is just populated from HTTP HOST anyway  I normally go for HTTP HOST  so that the user stays on the exact host name they started on  For example if I have the same site on a  com and  org domain  I don t want to send someone from  org to  com  particularly if they might have login tokens on  org that they d lose if sent to the other domain   Either way  you just need to be sure that your webapp will only ever respond for known-good domains  This can be done either  a  with an application-side check like Gumbo s  or  b  by using a virtual host on the domain name s  you want that does not respond to requests that give an unknown Host header   The reason for this is that if you allow your site to be accessed under any old name  you lay yourself open to DNS rebinding attacks  where another site s hostname points to your IP  a user accesses your site with the attacker s hostname  then the hostname is moved to the attacker s IP  taking your cookies auth with it  and search engine hijacking  where an attacker points their own hostname at your site and tries to make search engines see it as the    best    primary hostname       Apparently the discussion is mainly about   SERVER  PHP SELF   and why you shouldn t use it in the form action attribute without proper escaping to prevent XSS attacks    Pfft  Well you shouldn t use anything in any attribute without escaping with htmlspecialchars  string  ENT QUOTES   so there s nothing special about server variables there

User · Answer

XSS will always be there even if you use   SERVER  HTTP HOST      SERVER  SERVER NAME   OR   SERVER  PHP SELF

User · Answer

This is a verbose translation of what Symfony uses to get the host name  see the second example for a more literal translation    function getHost          possibleHostSources   array  HTTP X FORWARDED HOST    HTTP HOST    SERVER NAME    SERVER ADDR         sourceTransformations   array           HTTP X FORWARDED HOST    gt  function  value                 elements   explode       value               return trim end  elements                          host           foreach   possibleHostSources as  source                if   empty  host   break          if  empty   SERVER  source    continue           host     SERVER  source           if  array key exists  source   sourceTransformations                          host    sourceTransformations  source   host                            Remove port number from host      host   preg replace     d           host        return trim  host         Outdated   This is my translation to bare PHP of a method used in Symfony framework that tries to get the hostname from every way possible in order of best practice   function get host         if   host     SERVER  HTTP X FORWARDED HOST                   elements   explode       host             host   trim end  elements              else               if    host     SERVER  HTTP HOST                          if    host     SERVER  SERVER NAME                                   host    empty   SERVER  SERVER ADDR        SERVER  SERVER ADDR                                               Remove port number from host      host   preg replace     d           host        return trim  host

User · Answer

Just an additional note - if the server runs on a port other than 80  as might be common on a development intranet machine  then HTTP HOST contains the port  while SERVER NAME does not     SERVER  HTTP HOST       localhost 8080    SERVER  SERVER NAME       localhost     At least that s what I ve noticed in Apache port-based virtualhosts   As Mike has noted below  HTTP HOST does not contain  443 when running on HTTPS  unless you re running on a non-standard port  which I haven t tested

[php] PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

Examples related to php

Examples related to apache

Examples related to security

Examples related to owasp